Category: GDPR

How will the GDPR impact open source communities?

This new regulation by the European Union will impact how organizations need to protect personal data on a global scale. The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016, and will be enforced beginning May 25, 2018. The aim of the GDPR is to protect the personal data of individuals in the EU in an increasingly data-driven world. The GDPR applies to all organizations processing the personal data of data subjects residing in the European Union, irrelevant to its location. The GDPR brings many changes, strengthening data protection and privacy of EU persons, compared to the previous Directive.

EU persons get expanded rights by the GDPR. One of them is the right to ask an organization if, where and which personal data is processed. Upon request, they should also be provided with a copy of this data, free of charge, and in an electronic format if this data subject asks for it. It will need to have specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject. Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject.

Once discovered, you should notify your affected community members within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. As an organization, you will become responsible for keeping a register which will include detailed descriptions of all procedures, purposes etc for which you process personal data. I have covered some of the parts of the regulation that could be of impact to an open source community, raising awareness about the GDPR and its impact.

GDPR: The EU’s General Data Protection Regulation, explained

In May 2018, the General Data Protection Regulation, will take effect and change the rules of the road for companies that collect, store or process large amounts of user information. Without a doubt, the GDPR will be a significant factor in guiding Facebook’s data privacy policies moving forward. Given that many online businesses have European customers or users, whether or not they have offices or store data there, the EU is essentially setting a new global standard for data and privacy. It’s not just Facebook, Google and other big internet companies that will have to comply: Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook. Read: EU to investigate Facebook and Cambridge Analytica data misuse.

The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. The GDPR essentially sets a new global standard for data protection. The regulation applies to a broad array of personal data including name, ID numbers and location, as well as IP addresses, cookies and other digital fingerprints. Facebook’s response is sure to be closely scrutinized by European regulators, given the company’s checkered past with regard to user data. The GDPR requires companies that have lost control over customer data, or who have been hacked, to notify users within 72 hours.

The GDPR requires businesses and organizations to obtain parental consent to process the personal data of children under the age of 16. The Transatlantic Consumer Dialogue, a coalition of US and European consumer groups, has called on Facebook to adopt the GDPR’s new standards including its expansive definition of personal data and requirement for rapid, comprehensive notification in case of a breach.

GDPR Compliance

As a global company with customers in nearly every country in the world, protecting the personal data of our customers and their end-users continues to be a priority. GDPR represents an opportunity to continue our commitment in this area. LogMeIn already participates in the EU-U.S. and Swiss Privacy Shield Frameworks and is compliant with current applicable EU data protection rules. At LogMeIn, our ongoing compliance review and actions build on our existing investments in privacy, security, and the operational processes necessary to meet the applicable requirements of GDPR by May 25, 2018.

While the GDPR does not introduce significant new requirements to LogMeIn’s security and privacy practices and principles, we are hard at work to ensure GDPR compliance by the implementation date. Data Security:LogMeIn maintains rigorous technical and organizational security practices and measures both in how we handle customer Content, including any personal information located therein, but also in the capabilities our services and products to assist you in safeguarding your Content. We continue to evaluate industry standard practices with respect to data privacy and information security and strive to continuously meet or exceed those standards. This GDPR-compliant DPA ensures that any transfer of personal data outside the European Economic Area in connection with your relationship with LogMeIn will be performed in compliance with the GDPR. Privacy Shield:LogMeIn also demonstrates its commitment to maintaining appropriate privacy and security standards around the collection, use, transfer, and retention of personal data from the EU and Switzerland by participating in the EU-U.S.

What is the GDPR, its requirements and deadlines?

The General Data Protection Regulation is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply. According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., 80 percent of consumers said lost banking and financial data is a top concern. An alarming statistic for companies that deal with consumer data is the 62 percent of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. Web data such as location, IP address, cookie data and RFID tags. Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.

The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer. The data controller defines how personal data is processed and the purposes for which it is processed. Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.

The GDPR places equal liability on data controllers and data processors. Before you can define responsibilities and responsibilities, you must know exactly what data you have, where and how it is processed, and the data flows.

How GDPR Impacts Marketers: What You Need to Know

In this article, you’ll find a plain-language overview of GDPR, how it could impact your data collection, and what you need to do to make sure you’re compliant before May 25, 2018. A non-EU-based business must comply with the GDPR if it collects or processes personal data of any EU resident. GDPR may require significant changes in how a company discloses and obtains consent to collect personal data. Explain why the entity wants the data and what it will do with the data. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed.

Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. For many social media marketers, there are many questions about whether compliance is necessary for companies outside of the EU. However, non-EU companies must comply with GDPR if: 1) they collect or process personal data of any EU resident, or 2) the company’s activities relate to offering goods or services to EU citizens, regardless of whether payment is required. Any non-EU-based business must comply with the GDPR if it collects or processes personal data. After you’ve determined what personal information you collect or process, obtain explicit consent, described above, for each reason you collect such data.

If you still aren’t sure exactly what personal data you may be collecting, here are a few examples that are common for social media marketers, along with some tips on how to stay compliant for each. If you have ads on your website from a third-party ad server, upon entering your site, users should immediately consent to your use of a third-party server that collects user data for advertising and marketing purposes. GDPR Personal Data Reports: generates a personal data report for users invoking their Right of Access.

What the GDPR Means to Social Media Marketers

That’s the penalty for failing to comply with the General Data Protection Regulation, the EU’s new data privacy law. So if you are a business with customers in the EU, the GDPR will be applicable to you when you are handling personal data of your EU customers. Greater trust: Your customers will know what data of theirs is collected and how it will be used. Improved marketing experience: With stricter regulation on the use of personal data for marketing and advertising, consumers will likely have a better experience while surfing the internet. More privacy: Businesses are required to collect and process only personal data that are necessary for each specific purpose and implement measures to protect personal data.

More security of their personal data: With stricter rules on collection and processing of personal data, there would likely be fewer data breaches such as the recent incidents. This is because most organic social media activities such as posting content and engaging fans do not collect personal data from people who view or engage with it. You would not want to export or scrape contact details from your social media followers or groups as that is personal data. Under the GDPR, if you want to use your customers’ data or track their behavior for advertising, you must obtain the legal basis to do so. You have to state what data will be collected and how it will be used.

Several social media advertising features use customer data that you upload, collect personal data, or track behavior on your site. There have also been some changes to lead form ads on Facebook and LinkedIn to help you stay in compliant with the GDPR. As you would be collecting data through lead forms, you’ll need to state how the data will be processed and establish a legal basis for processing the data.

Commentary: GDPR: Will It Transform U.S. Corporate Titans?

GDPR will codify data protection rules for all companies that collect data from EU citizens while greatly expanding individuals’ control over how and when their personal data is collected and used. If even a single EU citizen visits the website of a company based anywhere in the world and data is collected on that individual, that company must comply with GDPR or risk severe penalization. Under the new rules, these companies will need to be much more specific about how they will use data and get permission for these specific uses. In the U.S. especially, where many companies are built on their ability to capture, sell, or leverage data to target individuals, the new regulations-which grant individuals the right to have their information deleted from databases under various circumstances-will force businesses of all sizes and kinds to dramatically rethink their data practices.

With member nations ramping up their enforcement capabilities as we speak, it is becoming clear that all companies, not just the industry giants, could be targeted. Facing a new regulatory minefield, U.S.-based companies have a narrow window of time to assess their capabilities and vulnerabilities and address areas of concern. Companies will no longer be able to rely on the fine print and must have privacy policies that are clear and consumer-friendly. EU citizens will now have the right to know what information a company has gathered on them. GDPR extends this right much further, requiring companies to delete even non-publicly shared data under a variety of circumstances.

If the user asks to be forgotten and then a month later gets an email solicitation from that company, they can file a complaint. Because there is no history to study, all companies must start from square one. Many companies are waiting for the first shoe to drop in order to react.

How Europe’s GDPR Will Mean Your Data Belongs to You: QuickTake

The European Union is introducing tougher rules for how data collectors gather and use its citizens’ information, and lets consumers control their own data. Starting May 25, all 28 EU nations will be applying the General Data Protection Regulation, which sets new standards for any holder of sensitive data, from Amazon to your local government council. These rules will apply to any company that collects the personal data of EU residents. Consumers will have the right to retrieve their data and give it to another business. If a firm is smaller than 250 but is collecting large quantities of sensitive data, it will also need a DPO.

If there’s a data breach, electronic data collectors will have to notify authorities within 72 hours and will have to alert customers in a timely manner if the breach poses a risk to them. So situations like Uber’s attempts to cover up of its 2016 data hack, or the slow release of information on Yahoo’s massive breach in 2013 will now be punishable with huge fines. In cases of negligence or violating the conditions of consent and infringing on data subject rights, the fines can go as high as $24.8 million, or 4 percent of annual worldwide revenue, whichever is higher. They’ll have free access to the data that’s been collected on them and more information on how it’s being used. Data will be destroyed when it is no longer needed for the original task.

To request access to their data, consumers will contact the data controller or controllers, whose contact info must be provided to consumers whenever information is collected. Because consumers will own their data, eventually they may be able to trade things like gift certificates from Zara in exchange for their shopping histories with J. Crew.8. They’ll need to make sure that the data they’ve collected adheres to new protocols.

The new privacy change and terms of service consent flow will appear starting this week to European users, though they’ll be able to dismiss it for now – although the May 25th GDPR compliance deadline Facebook vowed to uphold in Europe is looming. Facebook says it will roll out the changes and consent flow globally over the coming weeks and months with some slight regional differences. Facebook brought a group of reporters to the new Building 23 at its Menlo Park headquarters to preview the changes today. Feedback was heavily critical as journalists grilled Facebook’s deputy chief privacy officer Rob Sherman. Questions centered around how Facebook makes accepting the updates much easier than reviewing or changing them, but Sherman stuck to talking points about how important it was to give users choice and information.

Trouble at each step of Facebook’s privacy consent flow. Facebook’s consent flow starts well enough with the screen above offering a solid overview of why it’s making changes for GDPR and what you’ll be reviewing. A major concern that’s arisen in the wake of Zuckerberg’s testimonies is how Facebook uses data collected about you from around the web to target users with ads and optimize its service. Facebook recently rewrote its terms of service and data use policy to be more explicit and easy to read. It didn’t make any significant changes other than noting the policy now applies to its subsidiaries like Instagram and Messenger.

To keep all users abreast of their privacy settings, Facebook has redesigned its Privacy Shortcuts in a colorful format that sticks out from the rest of the site. Overall, it seems like Facebook is complying with the letter of GDPR law, but with questionable spirit. When asked to clear a higher bar for privacy, Facebook delved into design tricks to keep from losing our data.

Answers to Basic Questions

GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive with additional requirements that you need to be aware of. The new EU data protection regime extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents. GDPR makes no distinction between B2B and B2C and applies for both of them. Even though PECR allowed soft opt-out approach in email marketing, the new ePrivacy Directive is under review and is going to align with the GDPR.

GDPR will officially apply from 25th May 2018, at which time those companies or organisations in non-compliance may be subject to fines. GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based. These regulations apply to both data controllers and data processors, including third parties such as cloud providers. It applies to all 28 EU member states and to entities and organisations outside the EU when processing the data of citizens within it. No.

GDPR comes into effect before the UK officially leaves the European Union on March, 29th 2019. An equivalent set of data protection regulations need to be in place to continue trading with the EU. The maximum penalty for organizations in non-compliance with GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

Answer a few questions and assess your company according to the new General Data Protection Regulation.

A comprehensive guide to the General Data Protection Regulation

The General Data Protection Regulation puts regulatory teeth into longstanding governmental guidance about how EU member states handle personally identifiable information. This level of regulatory overview of personal data is unprecedented and will require companies to ensure the highest levels of-of privacy protection or suffer dire financial consequences. The GDPR is the latest in a series of EU parliamentary measures designed to put the highest levels of protection around personal data. Recognizing that data can travel well beyond the borders of the EU, GDPR provides protection to EU citizens no matter where their data travels. The GDPR operates with an understanding that data collection and processing provides the basic engine that most businesses run on, but it unapologetically strives to protect that data every step of the way while giving the consumer ultimate control over what happens to it.

According to GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. GDPR requires companies that process large amounts of data to hire dedicated personnel to manage all aspects of GDPR compliance. The US Commerce Department-created EU-US Privacy Shield framework was implemented specifically to comply with transatlantic data protection requirements.

It’s likely that companies will have to adapt standard marketing processes, such as data mining, location targeting and remarketing, and think of new ways to handle data. The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer.

consent under the GDPR

We’ve already tackled some myths around consent when it comes to the General Data Protection Regulation and you’ll be pleased to hear we’ve now published our final detailed guidance on consent to help you on your GDPR journey. From marketing agencies, to clubs and associations, to local authorities, consent has been a hotly debated topic. Myth #9 We have to get fresh consent from all our customers to comply with the GDPR. You do not need to automatically refresh all existing consents in preparation for the new law. The GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard.

If they do there is no need to obtain fresh consent. Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent. It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily. If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.

Organisations risk non-compliance if their emails are difficult to follow and key information is lost at the end of long text – people must clearly understand what they are consenting to. Some have said that they will lose customers by bringing their consents to the GDPR standard. As the Commissioner said in her blog ‘consent is not the ‘silver bullet’ for GDPR compliance’ consent is one way to comply with the GDPR, but it’s not the only way.

Update on Privacy and GDPR Compliance

Respecting users’ privacy and ensuring a safe experience on Disqus. Now, with the General Data Protection Regulation set to take effect, on May 25th, we want to share an update on our work to comply with new regulations and ensure that users and publishers who use Disqus can continue to do so with confidence. With these updates, we intend to improve the experience for users on Disqus, rather than simply check off boxes for compliance. Although GDPR applies exclusively to data collected from persons located in the European Union, our plans focus on network-wide improvements and new functionalities for all users on Disqus. Currently, users with Disqus accounts can update their settings to.

When a user is in Privacy Mode, Disqus will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country. Today, users can delete their Disqus account by following the instructions found at this link: Delete My Disqus Account. As part of our updates, we will implement new procedures to obtain consent, where needed, from Disqus users located in the EU for the collection of personal data both for processing by Disqus and, where applicable, third parties. What publishers should know and how these updates will impact them: In most all cases, unless a publisher integrates Disqus with their own user management system through Single Sign-On, users sign-up and login to comment through Disqus.

We require publishers who use SSO to obtain consent from users for the collection and processing of their data, including by Disqus for posting comments. Disqus only obtains consent from users for the collection and processing of data necessary for the use of Disqus. As part of our compliance updates, we will no longer use unique identifiers for analytics or any other purposes for users in Privacy Mode.

Why the GDPR email deluge, and can I ignore it?

GDPR, which stands for General Data Protection Regulation, has been described as the biggest overhaul of online privacy since the birth of the internet. It is designed to give all EU citizens the right to know what data is stored on them and to have it deleted, plus protect them from privacy and data breaches. The new rules bolster the requirement for explicit and informed consent before data is processed. Typically, individuals are being asked to give explicit permission for the company to continue emailing them and holding their data. The European Union’s new stronger, unified data protection laws, the General Data Protection Regulation, will come into force on 25 May 2018, after more than six years in the making.

The new laws govern the processing and storage of EU citizens’ data, both that given to and observed by companies about people, whether or not the company has operations in the EU. They state that data protection should be both by design and default in any operation. To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m or 4% of annual global turnover, which is several orders of magnitude larger than previous possible fines. Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable, ie strongly encrypted. The General Data Protection Regulation restricts the way businesses collect, store and move people’s personal data.

It applies to all companies that process the personal data of people located within the EU. Personal data includes your name, photo, email address, IP address, bank details, posts on a social networking site, medical information, biometric data and sexual orientation. Under GDPR, people get expanded rights to obtain the data a company has collected about them. If a company has a data breach, it must be reported to the relevant authority within 72 hours.

Workplace and GDPR – Workplace Stories

Many of the principles build upon the current data protection rules in place within the EU. But GDPR also places some new requirements on companies. GDPR expands current data protection law and also adds some new requirements. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. In Workplace Standard, Facebook is the data controller and is responsible for the processing of Workplace Standard users’ data.

We understand that GDPR requires Workplace Premium customers to engage data processors with appropriate safeguards to ensure an appropriate level of protection for personal data. GDPR requires Workplace Premium customers to engage data processors who can provide an appropriate level of security to meet the requirements set out in the new regulations. GDPR applies to all EU data subjects so will apply to all companies and organizations who have EU citizens as part of their business or organization. GDPR will apply to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location. The data processing addendum will ensure that you can continue to use Workplace in compliance with GDPR by providing the undertakings which we, as the data processor, must provide you with under Article 28(3).

In relation to user rights specifically, you as the data controller are responsible for compliance with your GDPR obligations. Access: Admins are able to use the Workplace APIs in order to provide access to personal data held about any user, should you receive a subject access request and to port this data if required. We have certified Workplace Premium under Privacy Shield for these required data transfers outside of the EU. Security and data privacy are principal concerns of Workplace as noted and explained in our information on Security on Workplace and Trust Center.

A GDPR expert with the data backup and recovery company Commvault, said GDPR won’t help if users agree to allow their data to be harvested. About 270,000 users whose information was scraped by Cambridge Analytica had consented to having their data harvested, but the data of millions more were ill-obtained through Facebook friends connections, according to The New York Times. Put simply, GDPR might stop another Cambridge Analytica situation, but only if users turn down requests to collect their data. If anybody thinks most companies are going to comply with GDPR, ask how many complied with the current legal data protection requirements. Thompson says GDPR is forcing them to think differently.

There’s also concern that GDPR will become a boogeyman for companies, which will spend money unnecessarily on compliance. The GDPR is going to be like Y2K, but every day: an entire parasitic consulting industry will spring up to scare corporate management and shake them down for hefty fees, and ultimately the underlying thing will do nothing positive, and quite possibly lots of negative. Because the GDPR is an E.U.-wide regulation, all 28 member states, each with a different approach to data protection in the past, will now have to play by the same set of rules. Any company dealing with users in the E.U. will have to comply with the GDPR for those people – and that includes American companies.

Facebook’s response to GDPR has been closely watched, particularly after its recent scandal and CEO Mark Zuckerberg’s public comments about the regulations. That claim appeared to be slightly contradicted when Facebook recently moved the legal governance of 1.5 billion users in Africa, Asia, Australia and Latin America out of Ireland and away from the GDPR’s reach. Matthews adds the panicked awareness that the Cambridge Analytica scandal has generated in the U.S. will likely help fuel interest in GDPR and what it has to offer in Europe.

What Is the GDPR? The EU’s Online Privacy Law: Explained

As soon as Facebook’s data abuse scandal broke, questions of legality and regulation quickly came into focus. Most notably, the scandal found itself at odds with a piece of legislation in the European Union called the General Data Protection Regulation, which plenty of Americans were hearing about for the first time. The GDPR is a landmark piece of legislation in the EU that enshrines stronger data protection and digital privacy laws for EU citizens. Replacing the 1995 Data Protection Directive, the GDPR is an attempt to give internet users more of a say in how their data is used and mandates companies to adhere to strict guidelines on how it is collected, stored, and leveraged. The GDPR is an attempt to give people a say in how their data is used and mandates strict guidelines on how companies collect, store, and leverage it.

While all of this may seem a little complicated at first glance, the GDPR’s main purpose is to update international data protection laws for the 21st century. Where the 1995 Data Protection Directive allowed for such nuance in different countries, the GDPR is a regulation, which means it is a hard law, not a minimum requirement. The GDPR will attempt to unify Europe’s digital data regulations under one banner to make operating within those countries as a data collector or processor more uniform. If a company or other online entity collects it or processed that information in any capacity, they are bound to protect it and offer a number of services to the person that data is about. The first of these new online rights for EU citizens is a right to be informed about what data is being collected, how it’s being used, and how long it will be retained for.

Companies may still be able to collect and store data, but not leverage it in any way. While there are low-level sanctions such as a written warning for first-offenses or non-intentional noncompliance, regular data protection audits can follow – and from there the repercussions become steep.

ConvertKit Knowledge Base

This regulation will impact ConvertKit Customers and Subscribers, so we are currently auditing all of our processes to make sure we will be compliant on or before the deadline. If you currently reside in the EU, or have subscribers that reside in the EU, you need to be GDPR-compliant. You own your list-you can export your subscribers at any time, as long as you are compliant with our terms of service. You may delete subscribers at any time at their request, or we may honor their request to be removed from your list or any list if we are contacted by them directly. You may access and update your Subscribers’ data at anytime.

Additionally we’d encourage you to use custom unsubscribe links to allow Subscribers to update their preferences. New ConvertKit features to help customers comply with GDPR. We’re building four new tools you can use to find your EU subscribers, establish explicit consent, and comply with the GDPR. Find my EU subscribers – Right now ConvertKit stores location data for each subscriber, but it is for within x miles of a specific city. Method to request data deletion – Under GDPR, each of your subscribers in the EU has the right to erasure, meaning they can contact you and we will delete all of their personal data from our systems.

Custom form checkboxes if the visitor is within the EU – This feature will be enabled on the account level and add an unchecked checkbox to each opt-in form for subscribers to verify that they are consenting to receive marketing emails. Some suggestions would be: state it clearly on your form, use a double opt-in process on your Forms, or remind them where they subscribed in the footer of your emails. Keeping up to date information, especially showing proof of consent from your subscribers can be helpful if required. We are happy to protect the privacy of our customers and our customers’ subscribers, and look forward to being compliant with such consumer-focused legislation.

GDPR Privacy Law and Unbounce: Marketing to the EU

On May 25, 2018, a new data privacy law called the General Data Protection Regulation will come into force, impacting how businesses collect and process data from individuals who live in the European Union. It’s the most significant piece of data protection legislation to be introduced in the EU in 20 years, and will replace the 1995 Data Protection Directive. Unbounce takes data privacy very seriously, and we view the GDPR as an opportunity to enhance our commitment to data protection for the benefit our customers. We’re excited to welcome the GDPR, as we know it will help reinforce true permission-based marketing, streamlined data and building trust between marketers, prospects, and customers in the EU. As a trusted partner, our top priority is ensuring that our customers have confidence in our platform, and that the data they collect with Unbounce is processed securely and in accordance with GDPR requirements.

If you have customers in the EU, plan to have customers in the EU, or process any form of EU data, this one’s for you. Unbounce will be moving all lead data into the EU. No form submission data will be transferred out of the EU. Status: IN PROGRESS. Data Storage.

Anytime a data subject reaches out to you with a valid right to be forgotten request, you can reach out to our Customers Support team to have your lead(s) deleted within 30 days. If you collect lead data through an Unbounce form, or a 3rd party form embedded on your landing page, you must obtain consent from the the data subject. Status: COMPLETE. If you cancel your Unbounce account, all lead data will be automatically deleted within 12 months. Lead Data Security: You can force and redirect incoming traffic to the secure HTTPS version of your page.

This will ensure proper encryption, both in transit and at rest, of the lead data collected on your Unbounce pages, using the latest protocols and ciphers. Sub-processor DPAs: We have taken steps to ensure that Unbounce’s customer data is secure by signing data processing agreements with each of our sub-processors.

How Europe’s new privacy rule is reshaping the internet

From Google to Slack, companies are quietly updating terms, rewriting contracts, and rolling out new personal data tools in preparation for a massive shift in the legal landscape. The rule is called the General Data Protection Regulation, and it’s poised to reshape some of the messiest parts of the internet. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt. Much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in two crucial ways. First, the GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before.

It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how ads are targeted online. That’s a lot more than the fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy. If the new consent rules ask companies to reshape their data policies, the proposed fines give them the motivation to make it happen. The GDPR also sets rules for how companies share data after it’s been collected, which means companies have to rethink how they approach analytics, logins, and, above all, advertising.

The GDPR adds complex new requirements for any company that gets user data second-hand, requiring a lot more transparency on what a company is doing with your data. In many cases, it’s still easier to split off EU data, which could result in European users seeing a meaningfully different internet from the rest of the world. So much of the internet is based on the free exchange of user data, especially the gnarly hairball that is the targeted advertising industry.

General Data Protection Regulation Requirements

General Data Protection Regulation proposed by the European Commission will strengthen and unify data protection for individuals within the European Union, whilst addressing the export of personal data outside the EU. The announcement of an agreement to finalize GDPR was made in December 2015 and following a vote by the EU parliament, the compliance deadline for GDPR was set for May 2018. The GDPR requirements as well as the amount of internal collaboration that will be needed to address them means organizations need to plan for compliance now. The primary objective of the GDPR is to give citizens back control of their personal data. Once GDPR takes effect it will harmonize previous and other data protection regulations throughout the EU.

GDPR Compliance Requirements. With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences. GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations. For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners.

Strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten. Gemalto offers the only complete data protection portfolio that works together to provide persistent protection and management of sensitive data, which can be mapped to the GDPR framework. No single solution will make an organization GDPR compliant. Gemalto’s SafeNet portfolio of solutions can help organizations comply with the mandate’s data security obligations. Download Gemalto’s GDPR eBook to see how Gemalto can help you identify the key aspects of GDPR and what steps to take to address its requirements.

ActiveCampaign

If you collect, store, manage, or analyze personal data of any type, including email addresses, it is likely that the GDPR affects your organization. The GDPR lays out a range of requirements related to consent, individual rights, and data processing. The below overview is a non-exhaustive summary of the most significant requirements of the GDPR. Tips to prepare for the GDPR using ActiveCampaign Learn how to set up opt-in confirmation Enabling double opt-in is a best practice that may help you comply with the affirmative consent requirements of the GDPR. When double opt-in is enabled, contacts will need to confirm their email address before receiving further communications.

Familiarize yourself with how to edit and delete contacts Under the GDPR, contacts have the right to request correction or deletion of their data. Learn how to add personal data usage statements to your opt-in forms The GDPR requires that you tell people how you will be using their personal data when you collect it. Although the exact statements you need to include depend on how you use the data, you can include any statements you like by using an HTML block in your ActiveCampaign forms. Obtain proof of consent from existing contacts The GDPR requires you to be able to demonstrate proof of explicit, affirmative consent from data subjects. If you are not currently able to demonstrate proof of affirmative consent for your contacts, you may need to reach out to existing contacts to obtain consent before the GDPR takes effect.

What ActiveCampaign is doing to prepare With GDPR taking effect May 25, 2018, we want to assure our users that we will be fully compliant with the regulation. Non-Product Updates To help with your GDPR preparation, we have an updated Data Processing Agreement available for you to use for your compliance needs. While the purpose of these updates is to help our customers stay GDPR compliant without sacrificing usability of the platform, we suggest that customers consult an attorney if they have any questions about how the GDPR will impact their business. Going forward, we will develop the product with the GDPR in mind-this means an emphasis on flexibility in regards to data.

Consumers have long wondered just what Google and Facebook know about them, and who else can access their personal data. On May 25 the power balance will shift towards consumers, thanks to a European privacy law that restricts how personal data is collected and handled. The rule, called General Data Protection Regulation or GDPR, focuses on ensuring that users know, understand, and consent to the data collected about them. Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.

Acxiom, a data broker that provides information on more than 700 million people culled from voter records, purchasing behavior, vehicle registration, and other sources, is revising its online portals in the US and Europe where consumers can see what information Acxiom has about them. Most of the data rights enshrined under GDPR were already established in the EU, but went unenforced. GDPR standardizes data rights across all EU countries, empowering regulators with the same big stick and sharper teeth. Even then companies must take into account a consumer’s expectation of how their data will be used and can’t infringe on the other consumer rights guaranteed under GDPR. In the digital realm, EU consumers also have the added protection of a companion set of rules, called the ePrivacy Directive, that govern electronic communication.

IO, has used UK data protection law to help individuals access personal information processed by Cambridge Analytica, the controversial firm behind the data breach affecting more than 50 million Facebook users. In a survey of UK consumers Khatibloo conducted in August, 51 percent of respondents said they were at least somewhat likely to exercise their new rights under GDPR. The most common example cited was data deletion. Consumers understand the value of exchanging their data for free services and don’t want their online experience interrupted, she says.

GDPR: Why We Stopped Selling Stuff to Europe

The EU’s new General Data Protection Regulation is a set of rules that give consumers rights about how their data is stored, used, and deleted. This step-by-step GDPR guide for managers is a great place to start understanding it, or for something a little more dry and lengthy, try Microsoft’s guide to GDPR. As a consumer, I love a lot of things about the GDPR. I’m sick and tired of software that phones home without telling us what data it’s taking, doesn’t tell us where the data goes or who sees it, and doesn’t give us the right to have it erased. The GDPR is a little vague and more than a little scary.

I’m not really worried about us maintaining the confidentiality of that data, but now we’d have to add in new audit-able tracking. See, under the GDPR, if someone asks us to delete their data, we not only have to delete it, but we have to audit that we deleted it, and maintain those records for EU authorities. Today, between the GDPR and Brexit’s affect on the VAT Mini One Stop Shop – it’s just not worth the hassle. We’ll still keep the blog & mailing list open to EU folks – those are a little easier to manage – and we’re still doing SQL Bits 2018 since the conference organizers are the ones who track personal data, not us. Long term, I’m hopeful that the GDPR will get sorted out in a way that protects consumers’ rights, and still lets businesses use off-the-shelf tools and policies to provide services to the EU.

Hopefully the situation improves quickly and we can revisit that policy in 2019. Even worse, it’s not just about databases – it’s about anywhere data ends up, like email, direct messages, and flat files on a network share. The EU has never been a primary focus for us – 95% of our training revenue comes from outside of the EU. It was nice to have, but not worth the additional work & risk involved with GDPR compliance. CodeInWP’s WordPress GDPR Guide: really good place to start if you’re wondering how visitor data might get into your possession from various plugins.

Lord knows you shouldn’t be processing credit card data yourself in the year 2017 – get Stripe.com and do it all on their end.

Google Sharply Limits DoubleClick ID Use, Citing GDPR

Google is making it more difficult for advertisers to have an independent view of the data generated from ad buys in its ecosystem. In a note to partners sent Friday and obtained by AdExchanger, Google said it will no longer let buyers use the DoubeClick ID when leveraging its data transfer service. The DoubleClick ID pulls together data from the company’s various ad and consumer-facing products around a unique user ID associated with the DoubleClick cookie. As of May 25th, the same day the EU’s GDPR goes into effect, the DoubleClick ID will no longer be available for data transfers on YouTube impressions and those recorded by the DCM ad server and the DoubleClick Bid Manager DSP. Those IDs also won’t be available for DBM first in the EU, and eventually globally.

Google will also remove encrypted cookie IDs, IP addresses and user list names from data transfer for all bids in Google Ad Exchange. For buyers, stripping out the DoubleClick ID cuts off visibility to user activity within the DoubleClick ecosystem. The change will limit advertisers’ ability to measure the reach and frequency of Google campaigns against other platforms by limiting any measurement using the DoubleClick ID to Google’s own Ads Data Hub. In its note to advertisers, Google has included that the DoubleClick ID, tied to sensitive information like user search histories, could violate the strict data privacy requirements of GDPR. But for marketers, the changes make common analyses, like attribution, reach and frequency, difficult or impossible to do, said Ari Paparo, CEO of Beeswax.

Google could be banking on the fact that the long tail of advertisers will buy into its entire stack and use the DoubleClick ID as the default understanding of their audience, Heimlich said. This isn’t the first time Google has tried to get marketers on Ads Data Hub – and deeper inside the walls of its ecosystem – this month. A few weeks ago, Google suspended third-party ad serving in the EU on YouTube citing concerns over GDPR compliance. Google also said this month that a plan announced in January to discontinue third-party pixel tracking on YouTube will come into effect under GDPR. Update: This story has been updated to reflect that the DoubleClick ID is not associated with PII like names and addresses but the DoubleClick cookie.

InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework: Technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and

Hosted in this repository are the technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and privacy – notably the General Data Protection Regulation that comes into effect on May 25, 2018. In November 2017, IAB Europe and a cross-section of the publishing and advertising industry, announced a new Transparency & Consent Framework to help publishers, advertisers and technology companies comply with key elements of GDPR. The Framework will give the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content. IAB Tech Lab is charged with the technical governance of these specifications. Consent string and vendor list formats v1.1 Final.

The IAB Technology Laboratory is a non-profit research and development consortium that produces and provides standards, software, and services to drive growth of an effective and sustainable global digital media ecosystem. Comprised of digital publishers and ad technology firms, as well as marketers, agencies, and other companies with interests in the interactive marketing arena, IAB Tech Lab aims to enable brand and media growth via a transparent, safe, effective supply chain, simpler and more consistent measurement, and better advertising experiences for consumers, with a focus on mobile and TV/digital video channel enablement. The IAB Tech Lab portfolio includes the DigiTrust real-time standardized identity service designed to improve the digital experience for consumers, publishers, advertisers, and third-party platforms. Established in 2014, the IAB Tech Lab is headquartered in New York City with an office in San Francisco and representation in Seattle and London. IAB Europe is the voice of digital business and the leading European-level industry association for the interactive advertising ecosystem.

GDPR Technical Working Group members provide contributions to this repository. Participants in the GDPR Technical Working group must be members of IAB Tech Lab. Technical Governance for the project is provided by the IAB Tech Lab GDPR Commit Group.

GDPR and the End of the Internet’s Grand Bargain

In May the European Union’s General Data Protection Regulation goes into effect, two years after passage by the European Parliament. Data collectors can be held responsible for violations by third-party users. Though the new law was intended to unify and simplify European data practices the minimum cost of compliance for anyone doing business with any EU resident is estimated by one survey at $1 million just for changes to IT systems, not to mention the costs of a newly designated data protection officer. While European data may still be legally stored outside of the EU, for example, it’s much easier to comply with GDPR if data remains within the borders – a boon to a fledgling European cloud services industry. Internet companies have had over a decade to integrate basic data collection and use safeguards into their operations, including limiting the data they collect and adopting international information security standards.

Until now, a fast-spreading epidemic of data misuse incidents has been largely overlooked by lawmakers, including breaches and data misuse at Yahoo, Facebook, Target, Equifax, and Under Armour. That’s bad news, and not just for companies increasingly reliant for revenue on data collection, analysis and intelligence. While GDPR is certain to improve choice, control, and transparency for EU consumers, these new powers come with new responsibilities and new costs for users, not least of which are ballooning budgets for government data management and enforcement bureaucracies worldwide. Governments are hardly the experts on data security. There have been even bigger breaches of sensitive data controlled by U.S.

and EU governments themselves. Social media providers, and e-commerce platforms, along with user forums, news sites, and emerging internet-of-things service providers large and small, may rationally conclude that the new costs and potential penalties associated with collecting, analyzing, and marketing user-provided information have become unsustainable, requiring a new business model altogether. If the grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services.

GDPR Summary: What Every Digital Marketer Needs to Know About the New Regulations

There are a few lines around here, but surely I don’t look old enough to have been practicing law for 20 years, but I am a data protection lawyer, and that’s what GDPR is all about. What GDPR does is it really brings our data protection laws up to date with what’s going on with data. The last data protection laws that we had in Europe are 20 years old, and if you think about the differences in what we’re doing with data now and what we did 20 years ago, there’s a huge chasm and difference between what we could do then and what we can do now, so it’s only right that the law catches up with the reality of our data processing. That’s really what GDPR is all about, making sure that you’ve got a lawful ground of processing the personal data and bearing in mind these principles. Even within industries, there’s If you get a reputation within, say, the digital marketing industry or within the coaching industry or within the expert industry or whatever else, as the protection of personal data becomes more of a cultural norm, if you are the anomaly, then you’re going to start to lose customers.

One new legal document that you will definitely need is a new privacy notice that you are going to be giving to your prospects whenever you’re collecting their data. Probably, it’s not new, but the most important thing, and what’s come out of my Facebook group is how little people actually know about this and how little people focus on it, is the security aspect of data. If you’re dealing with sensitive data, special category data, things like data consisting of racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, things like that. You’ve got all these different scales of people who are processors, but essentially, they are processing our data, our lists of data under our instruction. It’s mandatory to have an agreement between the data controller and the data processor that sets out these, it’s about eight things that the GDPR says you have to have in there.

What you need to do first off is understand what is personal data and what’s not, so I’ve covered that on this call, so hopefully you know now. You need to redo your privacy notice, and again, that’s why it’s so key that you really get a good view on that data inventory of all the data that you hold and what the purpose is and what your lawful ground is, because all of that goes into your privacy notice, and if you get that wrong, and there are complaints later on, then you’re storing up problems for yourself.

Google Cloud: Ready for GDPR

Over a year ago, we wrote about our commitment to GDPR compliance across G Suite and Google Cloud Platform. Google Cloud’s focus on data security, privacy, and transparency provided a strong foundation towards achieving that commitment, and we’ve made multiple updates to ensure that Google Cloud customers can confidently use our services when the GDPR takes effect on May 25. Google Cloud generally acts as a data processor, and as a data processor we process data only as instructed by you-our customers. In turn, you own your data, and Google Cloud is committed to advancing tools and resources that put you in control. More than six months ago, well in advance of the GDPR coming into effect, we made important updates to our data processing terms for G Suite1 and Google Cloud Platform designed to directly address GDPR requirements.

These contractual updates clearly articulate our privacy commitments to customers, and are fundamental to GDPR compliance for both Google and our Cloud customers. If you haven’t already, you can opt in to the new terms by following the instructions for G Suite and for Google Cloud Platform. G Suite and Google Cloud Platform have provided contractual commitments to customers around incident notification for many years, and our updated terms reflect the notification timelines for processors put forth in Article 33 of the GDPR. With hundreds of Google engineers across the globe dedicated to security, Google Cloud has and will continue to invest in threat detection, prevention, and incident response capabilities. Google Cloud provides solutions that can help organizations keep their sensitive data confidential, available, and resilient.

We regularly test, assess, and evaluate the effectiveness of our technical and organizational security and privacy measures via third-party audits and certifications for G Suite and Google Cloud Platform. These certifications, as well as other third-party audits such as SOC1, SOC2, and SOC3, cover numerous services within Google Cloud. We provide GDPR-related documentation, white papers, videos, and other useful information for customers on our GDPR Resource Center, and will provide presentations, workshops, and opportunities for customers to engage directly with our compliance team in our global Cloud Summit and Cloud Next events throughout the year.